[j-nsp] solution to a firewall question
Vijesh Chandran
vijesh at juniper.net
Thu Apr 23 20:24:29 EDT 2015
Is there a programming difference between 'firewall filter' and 'firewall family inet filter'? (ignore the v4 part of that)?
afaik, family inet filter will skip all subsequent term if a packet matches first term. Is that not true for family filter?
-Vijesh
________________________________
From: Damien DeVille <damien.deville at gmail.com>
Sent: Thursday, April 23, 2015 5:17 PM
To: Vijesh Chandran
Cc: Olivier Benghozi; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] solution to a firewall question
Actually, my example is incorrect. Filter f1 should read as follows:
ddeville at testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
}
}
}
When written this way, the second filter "f2" will be evaluated as part of the chain. See http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195
- Damien
On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille <damien.deville at gmail.com<mailto:damien.deville at gmail.com>> wrote:
While I don't understand why you have the requirement that you can't use next-term (seems to be arbitrary), you can accomplish this the "input-list" option (https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
)
Here is a sample configuration:
ddeville at testlab-rtr# show interfaces ge-0/0/0
unit 0 {
family inet {
filter {
input-list [ f1 f2 ];
}
address 192.168.1.2/32<http://192.168.1.2/32>;
}
}
ddeville at testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
accept;
}
}
}
filter f2 {
term 1 {
from {
dscp ef;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
}
- Damien
On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran <vijesh at juniper.net<mailto:vijesh at juniper.net>> wrote:
Hi Olivier,
My bad that I didn't specify this in original mail...
Caveat here is that, next term shall be avoided as per requirement.
-Thanks,
Vijesh
________________________________________
From: juniper-nsp <juniper-nsp-bounces at puck.nether.net<mailto:juniper-nsp-bounces at puck.nether.net>> on behalf of Olivier Benghozi <olivier.benghozi at wifirst.fr<mailto:olivier.benghozi at wifirst.fr>>
Sent: Thursday, April 23, 2015 11:39 AM
To: juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] solution to a firewall question
Replace accept with next term in f1 ?
next term works across filter list from what I see and according to the documentation ( http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html <http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html> ).
Olivier
> Le 23 avr. 2015 à 17:18, Vijesh Chandran <vijesh at juniper.net<mailto:vijesh at juniper.net>> a écrit :
>
> Hi all,
> I am wondering if we have a solution to this issue.
> I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
> Input-list [f1 f2]
> f1 to match a condition (all tcp port 80) and accept and count that packet.
> f2 to classify those packets based on code points and push to a forwarding class. Is this possible?
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list